“They Came for Our Vaccines: Tears, Rage, and a Long-Awaited Court Date in the Hunt for China’s Cyber Spies”
A Chinese national accused of carrying out state-directed cyber intrusions targeting U.S. institutions and COVID-19 research has been extradited to the United States and appeared in federal court in Houston, authorities said.
Xu Zewei, 34, was extradited from Italy over the weekend and faces a nine-count indictment alleging his involvement in a series of computer hacking operations between February 2020 and June 2021. Prosecutors say some of the activity was linked to a widespread cyber campaign known as HAFNIUM, which compromised thousands of computers worldwide, including in the United States. Other alleged intrusions targeted American research into COVID-19 vaccines, treatments, and testing during the height of the pandemic.
Xu is charged alongside Zhang Yu, 44, also a Chinese national, who remains at large.
According to court documents, Xu acted under the direction of officers from the Shanghai State Security Bureau, a regional arm of China’s Ministry of State Security, which is responsible for domestic counterintelligence and foreign intelligence operations. At the time, Xu allegedly worked for Shanghai Powerock Network Co. Ltd., described by prosecutors as one of several companies used by the Chinese government to conduct hacking operations.
“Today, Xu Zewei will stand in a federal courtroom to answer for crimes that struck at the heart of American science and security — allegedly stealing COVID-19 research from our universities when the world needed it most,” said Acting U.S. Attorney John G.E. Marck for the Southern District of Texas. “We have pursued this moment across years and continents, and the message this office sends today is the same one we sent when we first unsealed this indictment: we will work to protect the American people.”
Authorities allege that in early 2020, Xu and his co-conspirators targeted U.S.-based universities, immunologists, and virologists conducting COVID-19 research. In one instance, Xu reportedly confirmed to a Chinese intelligence officer that he had infiltrated a university network in the Southern District of Texas. Days later, he was directed to access specific email accounts belonging to researchers, and later confirmed he had obtained their contents.
Beginning in late 2020, prosecutors say Xu and others exploited vulnerabilities in Microsoft Exchange Server software, enabling a broader intrusion campaign associated with HAFNIUM. The campaign affected thousands of systems globally. Even after public disclosure of the vulnerabilities and efforts to mitigate them, hundreds of compromised systems in the United States remained affected.
Among the alleged victims were another university in the Southern District of Texas and a global law firm with offices in Washington, D.C. Investigators say Xu and his co-conspirators installed malicious software known as web shells to maintain remote access to compromised systems. They allegedly searched stolen email data for information related to U.S. policymakers and government agencies, using terms such as “Chinese sources,” “MSS,” and “HongKong.”
Officials say the case highlights what they describe as a broader strategy by the Chinese government to rely on private contractors to obscure its role in cyber operations. Prosecutors allege that such networks operate for profit while casting a wide net to exploit vulnerable systems, often resulting in widespread data theft and exposure beyond the government’s immediate interests.
Xu faces multiple charges, including conspiracy to commit wire fraud, wire fraud, unauthorized access to protected computers, intentional damage to protected computers, and aggravated identity theft. If convicted, he could face significant prison time, with some charges carrying penalties of up to 20 years.
Zhang Yu has not been apprehended, and authorities are seeking information about his whereabouts.
Authorities emphasized that the indictment contains allegations, and that Xu is presumed innocent unless proven guilty in court.
View the indictment in U.S. v. Xu Zewei et al. here.
He Was Paid to Save Companies from Ransomware—Instead, He Secretly Helped Hackers Bleed Them Dry
A Ransomware Negotiator Sold Out His Own Clients—Then Bought a Luxury Fishing Boat with the Bitcoin
A Florida man who worked as a ransomware negotiator has pleaded guilty to conspiring to carry out ransomware attacks against U.S. companies, federal authorities said.
Angelo Martino, 41, of Land O’Lakes, admitted in court to collaborating in 2023 with cybercriminals behind the BlackCat/ALPHV ransomware operation. According to court documents, Martino exploited his position at a U.S.-based cyber incident response company to assist attackers while simultaneously working on behalf of victims.
Beginning in April 2023, Martino served as a negotiator in at least five ransomware cases but secretly provided BlackCat operators with confidential information about his clients’ negotiating strategies. Prosecutors said the information, which included insurance policy limits and internal positions, allowed the attackers to demand higher ransom payments. The disclosures were made without the knowledge or consent of Martino’s employer or its clients, and he was paid by the ransomware group for the information.
“Angelo Martino’s clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Instead, he betrayed them and began launching ransomware attacks himself by assisting cyber criminals and harming victims, his own employer, and the cyber incident response industry itself.”
Authorities said Martino also conspired with Ryan Goldberg of Georgia and Kevin Martin of Texas to carry out ransomware attacks between April and November 2023. All three men worked in the cybersecurity industry and used their expertise to target victims across the United States. In one instance, the group extorted approximately $1.2 million in Bitcoin from a victim and split the proceeds, laundering the funds afterward.
“Ransomware victims turned to this defendant for help, and he sold them out from the inside,” said U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida. “As he admitted in court, he abused his position at a cyber incident response company to feed confidential information to BlackCat actors, helping them maximize ransom payments from American victims. He then went further, joining the conspiracy himself to deploy ransomware and profit from extortion. This guilty plea makes clear that if you weaponize insider access and cybersecurity expertise against victims in South Florida or anywhere in this country, you will be prosecuted. And as the seizure of more than $10 million in assets shows, you will not get to keep the proceeds of your crime.”
Law enforcement officials have seized approximately $10 million in assets tied to Martino, including digital currency, vehicles, a food truck, and a luxury fishing boat allegedly purchased with proceeds from the scheme.
Martino pleaded guilty to one count of conspiracy to obstruct commerce by extortion and faces a maximum sentence of 20 years in prison. He is scheduled to be sentenced on July 9. Goldberg and Martin previously pleaded guilty to the same charge in December 2025 and each face up to 20 years in prison. Their sentencing is scheduled for April 30.
Authorities noted that the charge is an allegation to which Martino has pleaded guilty, and sentencing will be determined by a federal judge.
About the Author
